plainconf 0.1.12

Minimal configuration handling supporting hashicorp vault.

Plainconf

Attempts to help build sensible configuration for python projects.

DISCLAIMER

Unless you need some specific functionality in here, I recommend using Dynaconf as it is more mature.

Install

pip install plainconf

What does this do?

It will create a flat conf (no nesting or anything, just one level) taking entries from the same environment from a settings file and either

• a secrets file

• hashicorp vault if vault_url, a mount_point and either token, userpass or approle credentials are provided (optionally vault_path)

• a secrets file with fernet encrypted values if the key is provided (s. encrypting toml file with fernet

settings.toml

[development]
db_url = "localhost:4321"

.secrets.toml

[development]
password = "secret"

    conf = Plainconf(
        environment="development",
        settings_file="settings.toml",
        secrets_file=".secrets.toml",
    )

    assert conf.db_url == "localhost:4321"
    assert conf.password == "secret"

Encrypting toml file with fernet

In order to encrypt the values in the toml file you will need a fernet key

    from cyptography.fernet import Fernet

    key = Fernet.generate_key()

encrypt_toml(str, str) expects the key as bytes and the path to the secrets file to be encrypted:

    from plainconf import encrypt_toml

    encrypt_toml(b'key', '.secrets.toml')

Which will output a file ending on _enc.toml with the values encrypted

[development]
password = "gAAAAABlDfsMIkZzIqKFQW8NBHVIqITKLCgQkzr6VKOYglHroZ--jFtkEsFr3feqSL1WCWy7gdlhvjHkBmx_JjQxKYKiqNge0A=="

In order to read the encrypted secrets, the key has to be given as keyword argument or environment variable (without the b at the beginning)

Limitations

• Only supports userpass and token authentication on Hashicorp Vault

• Only works with kv secret engine

• Only supports toml

(for now)

Examples

With files

    .mysecrets.toml:

    [development]
    password = 'secret'

    conf = Plainconf(
        secrets_file='.mysecrets.toml', 
        settings_file='mysettings.toml',
        environment='development'
    )
    
    ...

    conf.password ("secret")

With vault

on the vault:

somewhere/development:
password = 'supersecret'

    conf = Plainconf(
        vault_url="http://localhost:8200",
        vault_token="hvs.abc123def456",
        vault_mount_point="somewhere",
        environment="development"
    )

    conf.password ("supersecret")

Enviroment from env

.env file:

PLAINCONF_ENVIRONMENT="development"
PLAINCONF_VAULT_TOKEN="hvs.something123"
PLAINCONF_VAULT_URL="http://development.vault:8200"

    conf = Plainconf()
    conf.password ("supersecret")

Settings REQUIRED!

Plainconf(settings_file='path_to_file')
or environment variable PLAINCONF_SETTINGS_FILE="...""

Settings are read from the respective environment (default: default)

Secrets

Plainconf(secrets_file='path_to_file')
or environment variable PLAINCONF_SECRETS_FILE="...""

Secrets are read from the environment (default: default)

Environments

Plainconf(environment='name')
or environment variable PLAINCONF_ENVIRONMENT="...""
or default: default

Vault

Hashicorp Vault can be accessed via token, approle or userpass.

Required configuration:

• Plainconf(vault_url='http...') or environment variable PLAINCONF_VAULT_URL

• Plainconf(vault_mount_point='name') or environment variable PLAINCONF_VAULT_MOUNT_POINT

and either a token

• Plainconf(vault_token="hvs...") or PLAINCONF_VAULT_TOKEN

or user and pass

• Plainconf(vault_user='user', vault_pass='password') or PLAINCONF_VAULT_USER and PLAINCONF_VAULT_PASS

or approle id and secret

• Plainconf(vault_approle_id='role_id', vault_approle_secret_id='secret_id') or PLAINCONF_APPROLE_ID and PLAINCONF_APPROLE_SECRET_ID

Optional:

• Plainconf(vault_path='secret/special...') or PLAINCONF_VAULT_PATH or default: environment (see above)

Plainconf tries to connect to the vault kv secrets engine v2 by default and v1 thereafter.

Fernet Key

• Plainconf(fernet_key='key') or PLAINCONF_FERNET_KEY'